From eab9eaca8d60c68d297f6638aeaaa86fd56ad3ad Mon Sep 17 00:00:00 2001 From: rmkml Date: Sun, 2 Aug 2020 20:13:30 +0200 Subject: [PATCH 1/2] add Ragnarok Ransomware --- clusters/malpedia.json | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index c4e4bfec..41fea167 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -6,7 +6,8 @@ "Andrea Garavaglia", "Andras Iklody", "Daniel Plohmann", - "Christophe Vandeplas" + "Christophe Vandeplas", + "Rmkml" ], "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", @@ -18809,7 +18810,38 @@ }, "uuid": "237a1c2e-fb14-583d-ab2c-71f10a52ec06", "value": "MedusaLocker" + }, + { + "description": "Raccoon is a stealer and collects \"passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies\".", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon", + "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf", + "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block" + ], + "synonyms": [ + "Racoon" + ], + "type": [] + }, + "uuid": "10c03b2e-5e53-11ea-ac08-00163cdbc7b4", + "value": "Raccoon" + }, + { + "description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/", + "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw" + ], + "synonyms": [], + "type": [] + }, + "uuid": "10c03b2f-5e52-01ea-bc08-00153cdbc7b3", + "value": "Ragnarok" } ], - "version": 2561 + "version": 2563 } From 6d10e3a37d2f8c93cc7b2e9b51d4a8b0b784d811 Mon Sep 17 00:00:00 2001 From: rmkml Date: Sun, 2 Aug 2020 20:46:32 +0200 Subject: [PATCH 2/2] add Ragnarok Ransomware --- clusters/malpedia.json | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 45b2c296..41fea167 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -6,7 +6,8 @@ "Andrea Garavaglia", "Andras Iklody", "Daniel Plohmann", - "Christophe Vandeplas" + "Christophe Vandeplas", + "Rmkml" ], "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", @@ -18826,7 +18827,21 @@ }, "uuid": "10c03b2e-5e53-11ea-ac08-00163cdbc7b4", "value": "Raccoon" + }, + { + "description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/", + "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw" + ], + "synonyms": [], + "type": [] + }, + "uuid": "10c03b2f-5e52-01ea-bc08-00153cdbc7b3", + "value": "Ragnarok" } ], - "version": 2562 + "version": 2563 }